b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n   HOSPITALS\xe2\x80\x99 USE AND PROTECTION\n    OF SOCIAL SECURITY NUMBERS\n\n\n   January 2006    A-08-06-16056\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                    SOCIAL SECURITY\nMEMORANDUM\n\nDate:   January 27, 2006                                                         Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Hospitals\xe2\x80\x99 Use and Protection of Social Security Numbers (A-08-06-16056)\n\n\n\n        OBJECTIVE\n\n        Our objective was to assess hospitals\xe2\x80\x99 use and protection of Social Security numbers\n        (SSN) and the potential risks associated with such use.\n\n        BACKGROUND\n        Hospitals admit thousands of individuals each year. To assist in this process, and for\n        other purposes, many hospitals use patients\xe2\x80\x99 SSNs. Although no single Federal law\n        regulates overall use and disclosure of SSNs, the Social Security Act and the Privacy\n        Act of 1974 contain provisions that govern disclosure and use of SSNs. Additionally,\n        the Health Insurance Portability and Accountability Act of 1996 addresses the privacy\n        and security of all \xe2\x80\x9cindividually identifiable health information.\xe2\x80\x9d See Appendix A for more\n        information on the specific provisions of these laws.\n\n        We selected a sample of 10 hospitals nationwide. For each selected hospital, we\n        interviewed hospital personnel and reviewed hospital policies and practices for using\n        and protecting SSNs. See Appendices B and C for additional details regarding our\n        scope and methodology and hospitals we visited, respectively.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nRESULTS OF REVIEW\nBased on our interviews with hospital personnel and reviews of hospital policies and\npractices, we are concerned about hospitals\xe2\x80\x99 use and protection of SSNs. Despite the\nincreasing threat of identity theft, some hospitals used SSNs as patient identifiers or for\nother purposes, even when another identifier would suffice. In addition, some hospitals\nunnecessarily displayed SSNs on documents that may have been viewed by hospital\npersonnel, some of whom may not have had a need to know. Based on our previous\naudit and investigative findings, we know that unnecessary access, disclosure, and use\nof SSNs increase the potential for dishonest individuals to obtain these numbers and\nmisuse them, thus creating SSN integrity issues. Some hospital personnel with whom\nwe spoke shared our concern and were taking steps to limit SSN use.\n\nHOSPITALS\xe2\x80\x99 USE OF SSNs IS WIDESPREAD\n\nHospitals primarily used SSNs for internal administrative purposes, such as admitting,\nregistering, billing, insurance, and research. Although the hospitals generally used\npatient medical record numbers as primary identifiers, they also used SSNs as a\nsecondary identifier. Hospitals also collected and used SSNs to verify patients\xe2\x80\x99 eligibility\nor insured status because some government benefit providers (that is,\nMedicare/Medicaid) and health insurance companies use SSNs as primary identifiers\nand display the number on their members\xe2\x80\x99 identification cards. Most hospital officials\ntold us they use SSNs because each is unique to an individual and does not change like\nother identifiers. This is particularly vital in a hospital setting, given the importance of\ntracking patients\xe2\x80\x99 medical records among multiple health care providers. However,\nofficials at all of the hospitals we visited told us that, if patients did not provide their\nSSN, the hospital assigned them an alternate number.\n\nOne hospital official told us his facility displays SSNs on the wristbands of those\npatients whom the hospital admitted before 1999. However, this practice does not\napply to new patients or patients the hospital admitted in 1999 or later. The hospital\nassigns these individuals a machine-generated medical record number, which is\ndisplayed on patients\xe2\x80\x99 wristbands. Displaying SSNs on patient wristbands allows\ncountless individuals the opportunity to view patients\xe2\x80\x99 SSNs, unnecessarily subjecting\nthem to the possibility of identity theft.\n\nHospitals also provided patient SSNs to external entities. That is, hospitals provided\nSSNs to third parties, such as researchers, contractors, insurance companies, and\nother medical providers. They also provided patient SSNs to various Federal and State\nagencies for health statistics and registries. In addition, hospitals used SSNs to track\npatients\xe2\x80\x99 medical records among multiple providers, which helped identify patients\xe2\x80\x99\nmedical histories.\n\nThe executive director of a large health information association told us that almost all\nhospitals include SSNs as one element of their patient\xe2\x80\x99s identity file (that is, secondary\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\nidentifier). She estimated that about 5 percent (about 288) of hospitals nationwide use\nSSNs as primary patient identifiers. According to this official, patients\xe2\x80\x99 SSNs are\ngenerally displayed on every page of a paper record, every screen of an electronic\nrecord, and the key field in all databases. Furthermore, patients\xe2\x80\x99 SSNs are available to\nanyone who might obtain copies of the patient\xe2\x80\x99s medical record.\n\nHOSPITALS PLACE CONTROLS OVER PATIENT INFORMATION BUT DISPLAY\nSSNs ON DOCUMENTS THAT MAY BE VIEWED BY INDIVIDUALS WITHOUT A\nNEED TO KNOW\n\nHospitals had some controls in place to safeguard patient information, including SSNs.\nFor example, hospitals (1) limited physical and electronic access to computers and\ninformation systems, (2) shredded documents that contained personal identifying\ninformation, and (3) conducted self-reviews to ensure compliance with policies and\nprocedures. In addition, hospitals entered into business associate agreements with\nthird parties that contained specific language related to personal information\nsafeguards.\n\nWhile delivering medical services, however, some hospitals displayed SSNs on\ndocuments that may have been viewed by others, some of whom may not have had a\nneed to know. We identified numerous instances in which hospital personnel, such as\ndoctors, nurses, laboratory technicians, dieticians, and social service personnel, had\naccess to medical records containing patients\xe2\x80\x99 SSNs. We question whether these\nindividuals need to know a patient\xe2\x80\x99s SSN. We also identified instances in which hospital\npersonnel displayed SSNs on data it sent to third parties/independent contractors, such\nas consultants who provided systems and technical support. We question whether\nthese third parties need to know a patient\xe2\x80\x99s SSN.\n\nWe believe displaying SSNs on documents (paper or electronic) that may be viewed by\nhospital personnel or third parties who may not have a need to know increases the risk\nthat others may improperly obtain and misuse the SSN. In fact, hospital officials\nacknowledged the potential risks for identity theft and fraud, and one director of hospital\noperations told us he plans to recommend that patients\xe2\x80\x99 SSNs be limited to only those\npersonnel who have a business need to know.\n\nPOTENTIAL RISKS ASSOCIATED WITH COLLECTING AND USING SSNs\n\nHospitals\xe2\x80\x99 collection and use of SSNs entail certain risks. Each time an individual\ndivulges his or her SSN, the potential for someone to illegally gain access to personal\nidentifying information increases. For example, an employee at 1 hospital we visited\nstole the SSNs and other personal identifying information from document labels on\n13 patients\xe2\x80\x99 medical records. Hospital officials told us they recognized the vulnerability\nassociated with displaying SSNs on document labels and discontinued this practice.\nBecause many hospitals still use SSNs as patient identifiers or for other purposes,\npatients\xe2\x80\x99 exposure to identity theft remains today. We believe the following examples\nillustrate patients\xe2\x80\x99 risk of exposure to such activity.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\n\xe2\x80\xa2     Minnesota authorities convicted 2 hospital employees of stealing 32 patients\xe2\x80\x99\n      identities. The identity thieves used this information to open fraudulent credit card\n      and telephone accounts and charge over $78,000. Both individuals were scheduled\n      to be sentenced to serve a period of 4 to 6 months in a workhouse and render\n      restitution. They are also prohibited from employment in which they would have\n      access to confidential patient information.\n\n\xe2\x80\xa2     A man used the identities of four patients at a Connecticut hospital to purchase\n      $6,000 in home improvement merchandise. Police believe the perpetrator obtained\n      this information from his wife, who worked at a hospital. The man was charged with\n      79 counts of receiving goods and services from illegal use of a credit card, 36 counts\n      of credit card crimes of possession, and numerous counts of larceny and identity\n      theft.\n\n\xe2\x80\xa2     A hospital employee in Alabama earned $100 for each name and SSN she gave a\n      buyer who used the numbers to file fraudulent tax returns. The victims were\n      children.\n\n\xe2\x80\xa2     A nurse in Missouri was sentenced to 1 year and 1 day in Federal prison for stealing\n      identity information of two patients. She admitted using her access to patient\n      information to obtain credit accounts and make purchases on these accounts.\n\nSOME HOSPITALS AND HEALTHCARE-RELATED ENTITIES ARE TAKING STEPS\nTO LIMIT SSN USE\n\nIncidences of identity theft at hospitals and the recognition that SSNs are linked to vast\namounts of personal information have led some hospitals to reconsider their use of\nSSNs. Several hospitals we visited are taking steps to limit SSN use. In addition, some\nhealthcare-related entities have turned to alternate identifiers.\n\nThe director of health information services at one hospital and assistant administrator at\nanother hospital told us their facilities plan to truncate patients\xe2\x80\x99 SSNs because of\nidentity theft concerns. The director also told us his hospital received a significant\nnumber of patient and employee complaints regarding SSNs in its computer systems.\nThe director told us his hospital is taking steps to identify (1) hospital personnel who\nneed to know the entire SSN and (2) information system pathways that will be affected\nby the change. Both hospitals will continue to use patients\xe2\x80\x99 entire SSNs for billing and\neligibility purposes because some health insurers and Medicare/Medicaid use SSNs as\nprimary identifiers.\n\nOne large California health insurer we visited removed SSNs from member identification\ncards because the State enacted a law1 restricting such activity. The health insurer\ncreated a unique number to identify members in its databases. Health\n\n\n1\n    California Civil Code \xc2\xa7 1798.85 (2005).\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\ninsurer officials told us the company wanted to reduce its vulnerability to identity theft by\nreducing its reliance on SSNs as primary identifiers. In fact, most of its affiliated\nindependent insurers have issued new identification numbers. In addition, a director\nwith the Centers for Medicare and Medicaid Services told us the Agency is considering\nreplacing SSNs with alternate identifiers because of increased identity theft and privacy\nconcerns. According to the director, her agency is analyzing data to determine the\ntypes of information systems and work processes that would require revisions to\naccommodate such a change. Because Medicare/Medicaid use SSNs as primary\nidentifiers and display the number on their members\xe2\x80\x99 identification cards, we will provide\na copy of this report under separate cover to the U.S. Department of Health and Human\nServices\xe2\x80\x99 Inspector General.\n\nA large health information management association we visited published best practice\nprocedures for safeguarding SSNs. The association recommended that healthcare\norganizations \xe2\x80\x9cminimize the use of Social Security numbers for identification: whenever\npossible, redact or replace some of the digits in the Social Security number; avoid\ndisplaying the entire number on any document, screen, or data collection field.\xe2\x80\x9d In\naddition, the association recommended that only \xe2\x80\x9cstaff directly involved in patient\nregistration, billing, collections and number reconciliations\xe2\x80\x9d should have access to\nSSNs. The association did not believe most hospital personnel, such as nurses,\ndieticians, radiologists, or pharmacists should have access to patients\xe2\x80\x99 SSNs.\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the potential risks associated with using SSNs as patient identifiers, hospitals\ncontinue this practice. While we recognize the Agency cannot prohibit hospitals from\nusing SSNs as patient identifiers, we believe it can help reduce potential threats to SSN\nintegrity by encouraging hospitals to limit SSN collection and use. We also recognize\nthe challenge of educating such a large number of hospitals. However, given the\npotential threats to SSN integrity, such a challenge should not discourage the Agency\nfrom taking steps to safeguard SSNs. Accordingly, we recommend that the Social\nSecurity Administration:\n\n1. Coordinate with hospitals and relevant healthcare associations to educate hospitals\n   about the potential risks associated with using SSNs as patient identifiers. For\n   example, we believe the Agency should consider hosting or participating in\n   conferences to discuss ways hospitals can enhance SSN integrity.\n\n2. Encourage hospitals to limit their collection and use of SSNs. For example, we\n   believe hospitals should safeguard patients\xe2\x80\x99 SSNs by limiting access to hospital\n   personnel and external entities with a business need to know and avoid displaying\n   the entire number on any document, screen, or data collection field.\n\n3. Encourage the Centers for Medicare and Medicaid Services to remove SSNs from\n   its identification cards and partner with them to develop an alternate identifier that\n   meets both agencies needs.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\n\n4. Promote the best practices of hospitals that are taking steps to limit their use of\n   SSNs. For example, the Agency could promote best practices through activities\n   such as contributing articles to healthcare-related journals and association\n   newsletters.\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n\n                                                 S\n                                                 Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Govern Disclosure and Use of the Social Security\n               Number\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Hospitals Visited\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                        Appendix A\n\nFederal Laws that Govern Disclosure and Use\nof the Social Security Number\nThe following Federal laws establish a general framework for disclosing and using the\nSocial Security number (SSN).\n\nThe Health Insurance Portability and Accountability Act of 1996 (HIPAA)\n(42 U.S.C. \xc2\xa7\xc2\xa7 1320d-1320d-8; P.L. 104-191, \xc2\xa7\xc2\xa7 261 \xe2\x80\x93 264; 45 C.F.R. Parts 160 & 164)\n\nHIPAA\xe2\x80\x99s Administrative Simplification provisions address the privacy and security of\nhealth data, including SSNs. HIPAA\xe2\x80\x99s Privacy Rule protects all "individually identifiable\nhealth information" held or transmitted by a covered healthcare entity or its business\nassociate, in any form or media, whether electronic, paper, or oral. HIPAA\xe2\x80\x99s Security\nRule specifies administrative, technical, and physical safeguards with which the covered\nhealthcare entity must comply to assure the confidentiality of electronic protected health\ninformation.\n\nThe Social Security Act\n\nThe Social Security Act provides that \xe2\x80\x9cSocial Security account numbers and related\nrecords that are obtained or maintained by authorized persons pursuant to any\nprovision of law, enacted on or after October 1, 1990, shall be confidential, and that no\nauthorized person shall disclose any such Social Security account number or related\nrecord\xe2\x80\x9d (42 U.S.C. \xc2\xa7 405(c)(2)(C)(viii)). The Social Security Act also provides that\n\xe2\x80\x9c[w]hoever discloses, uses, or compels the disclosure of the social security number of\nany person in violation of the laws of the United States\xe2\x80\xa6shall be guilty of a felony\xe2\x80\xa6\xe2\x80\x9d\n(42 U.S.C. \xc2\xa7 408(a)(8)).\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a, note; P.L. 93-579, \xc2\xa7\xc2\xa7 7(a) and 7(b))\n\nThe Privacy Act of 1974 provides that it is unlawful for any Federal, State or local\ngovernment agency to deny any person a right, benefit, or privilege provided by law\nbased on the individual\xe2\x80\x99s refusal to disclose his/her SSN, unless such disclosure was\nrequired to verify the individual\xe2\x80\x99s identity under a statute or regulation in effect before\nJanuary 1, 1975, or such disclosure was required by Federal statute. Further, under\nSection 7(b), a Federal, State or local government agency requesting that an individual\ndisclose his/her SSN must inform the individual whether the disclosure is voluntary or\nmandatory, by what statutory or other authority the SSN is solicited, and what uses will\nbe made of the SSN.\n\x0c                                                                     Appendix B\n\nScope and Methodology\nTo accomplish our objective, we\n\n\xe2\x80\xa2   visited 10 hospitals nationwide;\n\n\xe2\x80\xa2   interviewed hospital personnel responsible for patient admissions, information\n    systems, medical records, and compliance with policy and procedures regarding the\n    collection, use and protection of patients\xe2\x80\x99 Social Security numbers (SSN);\n\n\xe2\x80\xa2   reviewed applicable laws and regulations; and\n\n\xe2\x80\xa2   reviewed selected articles regarding hospital employees\xe2\x80\x99 and others\xe2\x80\x99 misuse of\n    patient demographic data, including SSNs.\n\nIn addition, we visited the American Hospital Association and the American Health\nInformation Management Association regarding hospitals\xe2\x80\x99 collection and use of SSNs.\nWe also visited Blue Shield of California to discuss its experience of replacing SSNs\nwith unique member identification numbers. We also contacted the Centers for\nMedicare and Medicaid Services regarding its use of SSNs as identifiers. The Social\nSecurity Administration entity reviewed was the Office of the Deputy Commissioner for\nOperations. We conducted our audit from May through September 2005 in accordance\nwith generally accepted government auditing standards.\n\x0c                                                                Appendix C\n\nHospitals Visited\n\n                                                               Type of   Bed\n                Hospital                     Location          Control   Size\n\n\nUniversity of Maryland Medical Center   Baltimore, MD       Nonprofit    726\n\n\nNorthwestern Memorial Hospital          Chicago, IL         Nonprofit    657\n\n\nBrookwood Medical Center                Birmingham, AL      Profit       485\n\n\nJohn H. Stroger, Jr. Hospital of        Chicago, IL         Government   459\nCook County\n\n\nGreater Baltimore Medical Center        Baltimore, MD       Nonprofit    314\n\n\nPrinceton Baptist                       Birmingham, AL      Nonprofit    309\n\n\nSan Francisco General Hospital          San Francisco, CA   Government   303\n\n\nKaiser Permanente San Francisco         San Francisco, CA   Nonprofit    243\nMedical Center\n\n\nChildren\'s Hospital of Alabama          Birmingham, AL      Nonprofit    225\n\n\nCooper Green Hospital                   Birmingham, AL      Government   148\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      January 19, 2006                                                      Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye       /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report "Hospitals\' Use and Protection of Social\n           Security Numbers" (A-08-06-16056)--INFORMATION\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "HOSPITALS\' USE AND PROTECTION OF SOCIAL SECURITY\nNUMBERS\xe2\x80\x9d (A-08-06-16056)\n\n\nThank you for the opportunity to review and comment on the draft report. We appreciate\nthe report\xe2\x80\x99s acknowledgement that the Social Security Administration (SSA) cannot\nprohibit hospitals from using Social Security numbers (SSN) as patient identifiers and that\nthe report also recognizes the challenges of educating hospital communities. Our responses\nto the specific recommendations are provided below.\n\nRecommendation 1\n\nSSA should coordinate with hospitals and relevant healthcare associations to educate\nhospitals about the potential risks associated with using SSNs as patient identifiers. For\nexample, we believe the Agency should consider hosting or participating in conferences to\ndiscuss ways hospitals can enhance SSN integrity.\n\nResponse\n\nWe agree with the intent of the recommendation. While we can include information about\nthe protection of the SSN as part of future presentations and conferences with medical\nproviders where we are an active participant, our outreach efforts would be contingent upon\nthe availability of resources. We will also consider using our Office of Disability\nProgram\xe2\x80\x99s website, (http://co.ba.ssa.gov/disability/odp/professional_relations.html), as a\nresource for educating medical professionals about the potential risks associated with using\nSSNs as patient identifiers. This website is currently used to provide helpful information\nfor the Professional/Medical Relations Officers and Regional Professional Relations\nCoordinators.\n\nRecommendation 2\n\nSSA should encourage hospitals to limit their collection and use of SSNs. For example, we\nbelieve hospitals should safeguard patients\xe2\x80\x99 SSNs by limiting access to hospital personnel\nand external entities with a business need to know and avoid displaying the entire number\non any document, screen, or data collection field.\n\nResponse\n\nWe agree and will incorporate this recommendation in conjunction with existing and/or\nfuture outreach efforts as indicated in our response to recommendation 1.\n\n\n\n\n                                            D-2\n\x0cRecommendation 3\n\nSSA should encourage the Centers for Medicare and Medicaid Services (CMS) to remove\nSSNs from its identification cards and partner with them to develop an alternate identifier\nthat meets both agencies\xe2\x80\x99 needs.\n\nResponse\n\nWe agree with the intent of this recommendation. On December 6, 2005, CMS advised us\nthat they had conducted an internal survey in August 2005 to help them assess the impact of\nremoving SSNs from Medicare cards. CMS is now finalizing a report of their findings.\nThey intend to share their findings with SSA, the Railroad Retirement Board, and other\ngovernmental and nongovernmental third parties which would be impacted by any change\ninvolving the Medicare card and/or the use of alternative identifiers for Medicare/health\ninsurance purposes. Any changes CMS is considering need to be evaluated in terms of the\nfinancial and systems impact the changes would have on the Agency. We look forward to\nreviewing CMS\xe2\x80\x99s report and working with them to ensure the SSN is protected from\nunnecessary and/or unauthorized disclosure.\n\nRecommendation 4\n\nSSA should promote the best practices of hospitals that are taking steps to limit their use of\nSSNs. For example, the Agency could promote best practices through activities, such as\ncontributing articles to healthcare-related journals and association newsletters.\n\nResponse\n\nWe agree. Through our Office of Communications\xe2\x80\x99 partnerships with national and regional\nhospital associations, we will request that these organizations highlight best practices of\nhospitals who are taking steps to limit the use of the SSN in their healthcare-related\nmagazines and newsletters.\n\n\n\n\n                                             D-3\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, 205-801-1605\n\n   Jeff Pounds, Audit Manager, 205-801-1606\n\nStaff Acknowledgments\n\nIn addition to those named above:\n\n   Theresa Roberts, Senior Auditor\n\n   Kim Beauchamp, Writer-Editor\n\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s\nPublic Affairs Specialist at (410) 965-3218. Refer to Common Identification\nNumber A-08-06-16056.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'